Friday Five 10/7
This week saw some good news around securing the midterm elections, warnings about IRS phishing scams, and new orders from CISA. Catch up in this week’s Friday Five!
1. CISA DIRECTIVE ORDERS FEDERAL CIVILIAN AGENCIES TO REGULARLY REPORT SOFTWARE VULNERABILITIES BY SUZANNE SMALLEY
The Cybersecurity and Infrastructure Security Agency (CISA) announced a Binding Operational Directive this past week, known as the Improving Asset Visibility and Vulnerability Detection on Federal Networks or BOD 23-01, which will require federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools. According to CIA Director Jen Easterly, “this is a movement essentially to allow CISA, in its role as operational lead for federal cybersecurity, to manage federal cybersecurity as an enterprise.” Read more about the directive in the full story from CyberScoop.
2. FBI: CYBERATTACKS TARGETING ELECTION SYSTEMS UNLIKELY TO AFFECT RESULTS BY BILL TOULAS
In a joint public service announcement, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) claim not to have seen any measurable impact as a result of cyber activity attempting to compromise election infrastructure. The announcement explains that this is primarily due to a set of technological tools and strict procedural controls that give election officials confidence that the likelihood of successful phishing, denial of service, domain spoofing, or ransomware attacks is low.
Exploiting any potential vulnerabilities in the aforementioned election infrastructure would reportedly require physical access to the devices, access to the Election Management System (EMS), or the ability to perform supply chain attacks to modify the files before the operating system images are loaded onto ImageCastX devices.
3. HUGE INCREASE IN SMISHING SCAMS, WARNS IRS BY PIETER ARNTZ
The Internal Revenue Service (IRS) issued a warning for taxpayers this past week about a recent spike in IRS-themed "smishing" (or SMS phishing) scams aimed at stealing personal and financial information. In the latest campaign the IRS has seen, the scam texts ask taxpayers to click a link which leads them to phishing websites. Find out more about how you can prevent falling victim to one of these scams and where to report them in the full story from Pieter Arntz at Malwarebytes Labs.
4. NO FIX IN SIGHT FOR MILE-WIDE LOOPHOLE PLAGUING A KEY WINDOWS DEFENSE FOR YEARS BY DAN GOODIN
Researchers from ESET revealed this past week that the North Korean-backed Lazarus hacking group was able to trick two victims into opening a malicious Word document that granted the hackers administrative privileges on the users' computers. The ultimate goal of the hackers was to gain access to the kernel, which is considered the core of Windows OS and what can allow hackers to take total control of a computer. Rather than exploiting a zero-day, however, hackers opted to exploit a loophole in Microsoft's driver signature enforcement (DSE) using the administrative privileges they already gained. Read more on how this was accomplished in the full story at Ars Technica.
5. META SAYS IT HAS BUSTED MORE THAN 400 LOGIN-STEALING APPS THIS YEAR BY LILY HAY NEWMAN
Meta has reportedly found and reported over 400 apps in official app stores that were stealing victims’ Facebook credentials and will notify a million users that their sensitive info may have been compromised. Read more on how the apps disguised themselves, what app stores they lived in, and what information they may have stolen in the full story at Wired.